White House and Trump Administration Sending Different Messages On Election Interference

While the President and close advisors keep downplaying Russian interference in the 2020 U.S. election while U.S. intelligence agencies are issuing muted warnings many Democrats think have been tempered to please the White House.

The Trump Administration has been sending mixed messages on the security of and risks to the 2020 election in the United States (U.S.) While the President and the White House have largely been silent on Russian Federation activities, they have accused the People’s Republic of China (PRC) of a range of activities to interfere with the election. However, U.S. intelligence agencies have been flagging the activities of the Russian Federation, the PRC, Iran, North Korea, and others, but many Democrats and subject matter experts are arguing these public warnings are not accurately portraying the scope of activities and possible effects. Republican leadership in Congress are, in turn, claiming Democrats are politicizing the issue. The ongoing effect may be to desensitize the American public to interference and to further divide the electorate.

At the White House’s COVID-19 briefing on 10 August, when asked about Russian interference, Trump responded:

The other day they said the three countries; they said China and Russia and Iran and some reporter got up and said, Russia is meddling. I said, well, didn’t it mention China and Iran? Why didn’t you mention them, too?

National Counterintelligence and Security Center (NCSC) Director William Evanina issued an update to his late July statement “100 Days Until Election 2020” through “sharing additional information with the public on the intentions and activities of our adversaries with respect to the 2020 election…[that] is being released for the purpose of better informing Americans so they can play a critical role in safeguarding our election.” Evanina offered more in the way of detail on the three nations identified as those being most active in and capable of interfering in the November election: the Russian Federation, the PRC, and Iran. This additional detail may well have been provided given the pressure Democrats in Congress to do just this. Members like Speaker of the House Nancy Pelosi (D-CA) argued that Evanina was not giving an accurate picture of the actions by foreign nations to influence the outcome and perception of the 2020 election. Republicans in Congress pushed back, claiming Democrats were seeking to politicize the classified briefings given by the Intelligence Community (IC).

Evanina asserted

Ahead of the 2020 U.S. elections, foreign states will continue to use covert and overt influence measures in their attempts to sway U.S. voters’ preferences and perspectives, shift U.S. policies, increase discord in the United States, and undermine the American people’s confidence in our democratic process. They may also seek to compromise our election infrastructure for a range of possible purposes, such as interfering with the voting process, stealing sensitive data, or calling into question the validity of the election results. However, it would be difficult for our adversaries to interfere with or manipulate voting results at scale.

Evanina stated “[m]any foreign actors have a preference for who wins the election, which they express through a range of overt and private statements; covert influence efforts are rarer…[and] [w]e are primarily concerned about the ongoing and potential activity by China, Russia, and Iran.

  • CHINA – We assess that China prefers that President Trump – whom Beijing sees as unpredictable – does not win reelection. China has been expanding its influence efforts ahead of November 2020 to shape the policy environment in the United States, pressure political figures it views as opposed to China’s interests, and deflect and counter criticism of China. Although China will continue to weigh the risks and benefits of aggressive action, its public rhetoric over the past few months has grown increasingly critical of the current Administration’s COVID-19 response, closure of China’s Houston Consulate, and actions on other issues. For example, it has harshly criticized the Administration’s statements and actions on Hong Kong, TikTok, the legal status of the South China Sea, and China’s efforts to dominate the 5G market. Beijing recognizes that all of these efforts might affect the presidential race.
  • RUSSIA – We assess that Russia is using a range of measures to primarily denigrate former Vice President Biden and what it sees as an anti-Russia “establishment.” This is consistent with Moscow’s public criticism of him when he was Vice President for his role in the Obama Administration’s policies on Ukraine and its support for the anti-Putin opposition inside Russia. For example, pro-Russia Ukrainian parliamentarian Andriy Derkach is spreading claims about corruption – including through publicizing leaked phone calls – to undermine former Vice President Biden’s candidacy and the Democratic Party. Some Kremlin-linked actors are also seeking to boost President Trump’s candidacy on social media and Russian television.
  • IRAN – We assess that Iran seeks to undermine U.S. democratic institutions, President Trump, and to divide the country in advance of the 2020 elections. Iran’s efforts along these lines probably will focus on on-line influence, such as spreading disinformation on social media and recirculating anti-U.S. content. Tehran’s motivation to conduct such activities is, in part, driven by a perception that President Trump’s reelection would result in a continuation of U.S. pressure on Iran in an effort to foment regime change.

Evanina vowed to update Americans through future statements as needed.

In a statement, Pelosi and House Intelligence Committee Chair Adam Schiff (D-CA) expressed gratitude for the additional detail but took issue with the statement for implying through its structure that the risks each nation presents are equal. It would seem to make sense that Pelosi and Schiff are arguing that the Russian Federation is the biggest threat in light of its history in successfully spreading disinformation and misinformation in 2016 to benefit Trump and harm former Secretary of State Hillary Clinton. This assertion would also serve to rebut the notion that the PRC is the top threat given its placement as the first nation mentioned and Trump Administration rhetoric to this effect. Pelosi and Schiff asserted:

  • Today’s statement improves on the last by including more detail that American voters deserve to know, including about the actions of Kremlin-linked actors seeking to undermine Vice President Biden, and seeking to help President Trump. These details should help the public, Congress, and the presidential campaigns guard against foreign disinformation. And we are pleased that Mr. Evanina heeded our call to make additional details public about Russia’s malign interference campaign and Mr. Derkach’s role.
  • Unfortunately, today’s statement still treats three actors of differing intent and capability as equal threats to our democratic elections. Members of Congress have now been briefed on the specific threats facing the 2020 election, and we have been clear with the Intelligence Community that the American people must be provided with specific information that would allow voters to appraise for themselves the respective threats posed by these foreign actors, and distinguish these actors’ different and unequal aims, current actions, and capabilities. All of this can be done consistent with the need to protect sources and methods.

Unlike the first statement by Evanina on the 2020 election, Senate Intelligence Committee acting Chair Marco Rubio (R-FL) and Ranking Member Mark Warner (D-VA) released a joint statement in which they remarked:

  • NCSC Director Evanina’s statement today builds on and provides additional context to his previous statement two weeks ago. We thank him for providing this additional information to the American people, and we look forward to his continued engagement, along with other members of the Intelligence Community and the Administration, with the public over the next 87 days.
  • Evanina’s statement highlights some of the serious and ongoing threats to our election from China, Russia, and Iran. Everyone — from the voting public, local officials, and members of Congress — needs to be aware of these threats. And all of us should endeavor to prevent outside actors from being able to interfere in our elections, influence our politics, and undermine confidence in our democratic institutions.
  • In recent weeks, Evanina, other parts of the Intelligence Community, the FBI, and DHS have provided additional information and briefings to most members of Congress. We thank them for that engagement and encourage them to continue to make this information available. We believe more of the information that was made available in these briefings can, and at the appropriate time should, be shared with the voting public, and we encourage the Intelligence Community to do so in a manner that protects the sources and methods used to collect such information.
  • And we encourage political leaders on all sides to refrain from weaponizing intelligence matters for political gain, as this only furthers the divisive aims of our adversaries.

On 9 August, on Face The Nation, Trump’s National Security Adviser Robert O’Brien was asked about Evanina’s statement and claimed

it’s not just Russia…It’s- the Chinese don’t want the president re-elected. He’s been tougher on China than any president in history. And- and we’re standing up for the first time to the Chinese Communist Party and protecting Americans, protecting our IP, protecting our economy, protecting our- our vaccine data. And so there are a lot of people around the world that aren’t happy with America because they don’t share our values. And that shouldn’t be a surprise to anybody. And we’re going to take every action necessary to- to keep folks out, whether it’s China or Russia or Iran—

When asked about the assertion that the PRC wanted Trump to lose, O’Brien responded:

Well, well they- they’d like the- the president to lose. And- and China, like Russia, like Iran, have engaged in cyber-attacks and phishing and that sort of thing with respect to our election infrastructure, with respect to websites and that sort of thing. We’re- we’re aware of it and we’re- we’re taking steps to counter it. Whether it’s China or Russia or Iran, we’re not going to put up with it. And there will be severe consequences with any country that attempts to interfere with our free and fair elections, whether- whether their- their leaders prefer- prefer Joe Biden or prefer Donald Trump, it doesn’t matter. We’re Americans. We don’t- we’re not going to foreign countries deciding who our next president is going to be.

The U.S. Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) released a risk assessment of mail-in voting “to support CISA efforts to help U.S., state, and local governments identify and mitigate vulnerabilities to mail-in voting infrastructure, and support physical security, cybersecurity, and operational resilience within the mail-in voting process.” CISA cautioned “[t]his document is not an endorsement of any election management practice.”

CISA reached these “key findings:”

  • All forms of voting –in this case mail-in voting –bring a variety of cyber and infrastructure risks. Risks to mail-in voting can be managed through various policies, procedures, and controls.
  • The outbound and inbound processing of mail-in ballots introduces additional infrastructure and technology, which increases the potential scalability of cyber attacks.Implementation of mail-in voting infrastructure and processes within a compressed timeline may also introduce new risk. To address this risk, election officials should focus on cyber risk management activities, including access controls and authentication best practices when implementing expanded mail-in voting.
  • Integrity attacks on voter registration data and systems represent a comparatively higher risk in a mail-in voting environment when compared to an in-person voting environment. This is because the voter is not present at the time of casting the ballot and cannot help to answer questions regarding their eligibility or identity verification.
  • Operational risk management responsibility differs with mail-in voting and in-person voting processes. For mail-in voting, some of the risk under the control of election officials during in-person voting shifts to outside entities, such as ballot printers, mail processing facilities, and the United States Postal Service (USPS).
  • Physical access at election offices and warehouses represents a risk in a mail-in voting environment. Completed ballots are returned to the election office and must be securely stored for days or weeks before processing through voter authentication and tabulation processes. Managing risks to these processes requires implementing secure procedures for storage, access controls, and chain of custody, such as ballot accounting.
  • Inbound mail-in ballot processes and tabulation take longer than in-person processing, causing tabulation of results to occur more slowly and resulting in more ballots to tabulate following election night. Media, candidates, and voters should expect less comprehensive results on election night, which creates additional risk of electoral uncertainty and confidence in results.
  • Disinformation risk to mail-in voting infrastructure and processes is similar to that of in-person voting while utilizing different content. Threat actors may leverage limited understanding regarding mail-in voting processes to mislead and confuse the public.

CISA noted

Currently, five states (Colorado, Hawaii, Oregon, Utah, and Washington) automatically send every registered voter a ballot by mail. At least 21 other states have laws that allow at least some elections to be conducted by mail. In addition to the five states that send every voter a ballot, five states (Arizona, California, Montana, Nevada, and New Jersey) and the District of Columbia (D.C.) allow a voter to apply to receive a mail-in ballot permanently, so that voters do not have to apply each election.1 Currently, 34 states and D.C. allow any registered voter to  request a mail-in ballot. T  here are 16 states that require voters to have an excuse such as temporary absence from the voting district,  illness, or disability or require voters to be of a certain age (typically 65+) to be eligible to receive a ballot by mail. Some states are recognizing COVID-19 as a valid excuse.

CISA’s risk assessment of mail-in voting is more positive than its judgment about online voting. In May, a version of CISA’s risk assessment of online voting was leaked that was more critical of state efforts to offer this form of voting in the 2020 election. The risk assessment CISA ultimately issued had softer language about the risks, but the leaked document still conveyed deeper reservations the agency harbored without these becoming its official position.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Tumisu from Pixabay

Further Reading, Other Developments, and Coming Events (22 July)

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Here are Further Reading, Other Developments, and Coming Events.

Coming Events

  • On 22 July, the Senate Homeland Security & Governmental Affairs Committee will markup a number of bills and nominations, including:
    • The nomination of Derek Kan to the Office of Management and Budget’s Deputy Director
    • The “Federal Emergency Pandemic Response Act” (S.4204)
    • The “Securing Healthcare and Response Equipment Act of 2020” (S.4210)
    • The “National Response Framework Improvement Act of 2020” (S.4153)
    • The “National Infrastructure Simulation and Analysis Center Pandemic Modeling Act of 2020” (S.4157)
    • The “PPE Supply Chain Transparency Act of 2020” (S.4158)
    • The “REAL ID Act Modernization Act” (S.4133)
    • The “Safeguarding American Innovation Act” (S.3997)
    • The “Information Technology Modernization Centers of Excellence Program Act” (S.4200)
    • The “Telework for U.S. Innovation Act” (S.4318)
    • The “GAO Database Modernization Act” (S.____)
    • The “CFO Vision Act of 2020” (S.3287)
    • The “No Tik Tok on Government Devices Act” (S. 3455)
    • The “Cybersecurity Advisory Committee Authorization Act of 2020” (S. 4024)
  • On 23 July, the Senate Commerce, Science, and Transportation Committee’s Communications, Technology, Innovation, and the Internet Subcommittee will hold a hearing on “The State of U.S. Spectrum Policy” with the following witnesses:
    • Mr. Tom Power, Senior Vice President and General Counsel, CTIA
    • Mr. Mark Gibson, Director of Business Development, CommScope
    • Dr. Roslyn Layton, Visiting Researcher, Aalborg University
    • Mr. Michael Calabrese, Director, Wireless Future Project, Open Technology Institute at New America
  • On  27 July, the House Judiciary Committee’s Antitrust, Commercial, and Administrative Law Subcommittee will hold its sixth hearing on “Online Platforms and Market Power” titled “Examining the Dominance of Amazon, Apple, Facebook, and Google” that will reportedly have the heads of the four companies as witnesses.
  • On 6 August, the Federal Communications Commission (FCC) will hold an open meeting to likely consider the following items:
    • C-band Auction Procedures – The Commission will consider a Public Notice that would adopt procedures for the auction of new flexible-use overlay licenses in the 3.7–3.98 GHz band (Auction 107) for 5G, the Internet of Things, and other advanced wireless services. (AU Docket No. 20-25)
    • Radio Duplication Rules – The Commission will consider a Report and Order that would eliminate the radio duplication rule with regard to AM stations and retain the rule for FM stations. (MB Docket Nos. 19-310. 17-105)
    • Common Antenna Siting Rules – The Commission will consider a Report and Order that would eliminate the common antenna siting rules for FM and TV broadcaster applicants and licensees. (MB Docket Nos. 19-282, 17-105)
    • Telecommunications Relay Service – The Commission will consider a Report and Order to repeal certain TRS rules that are no longer needed in light of changes in technology and voice communications services. (CG Docket No. 03-123)
    • Inmate Calling Services – The Commission will consider a Report and Order on Remand and a Fourth Further Notice of Proposed Rulemaking that would respond to remands by the U.S. Court of Appeals for the District of Columbia Circuit and propose to comprehensively reform rates and charges for the inmate calling services within the Commission’s jurisdiction.  (WC Docket No. 12-375)

Other Developments

  • Acting Office of Management and Budget (OMB) Director Russell Vought was confirmed by the Senate by a 51-45 vote. OMB has been without a Senate-confirmed Director since Mick Mulvaney resigned at the end of March, but he was named acting White House Chief of Staff in January 2019, resulting in Vought serving as the acting OMB head since that time.
  • Former Vice President and Democratic candidate for President Joe Biden issued a statement on Russian interference with the 2020 election that laid out his plan to respond and retaliate against these ongoing activities. His very high-level plan is a list of currently used methods of combatting cyber-attacks, much of which he would be able to undertake without Congressional assent. Biden contended “[d]espite the exposure of Russia’s malign activities by the U.S. Intelligence Community, law enforcement agencies, and bipartisan Congressional committees, the Kremlin has not halted its efforts to interfere in our democracy.” Biden said “[i]n spite of President [Donald] Trump’s failure to act, America’s adversaries must not misjudge the resolve of the American people to counter every effort by a foreign power to interfere in our democracy, whether by hacking voting systems and databases, laundering money into our political system, systematically spreading disinformation, or trying to sow doubt about the integrity of our elections.” He vowed:
    • If elected president, I will treat foreign interference in our election as an adversarial act that significantly affects the relationship between the United States and the interfering nation’s government.
    • I will direct the U.S. Intelligence Community to report publicly and in a timely manner on any efforts by foreign governments that have interfered, or attempted to interfere, with U.S. elections.
    • I will direct my administration to leverage all appropriate instruments of national power and make full use of my executive authority to impose substantial and lasting costs on state perpetrators.
    • These costs could include financial-sector sanctions, asset freezes, cyber responses, and the exposure of corruption.
    • A range of other actions could also be taken, depending on the nature of the attack.
    • I will direct our response at a time and in a manner of our choosing.
    • In addition, I will take action where needed to stop attempts to interfere with U.S. elections before they can impact our democratic processes.
    • In particular, I will direct and resource the Department of Defense, Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the Department of State, and the Federal Bureau of Investigation’s Foreign Interference Task Force to develop plans for disrupting foreign threats to our elections process.
    • This will be done, wherever possible, in coordination with our allies and partners, so that we are isolating the regimes that seek to undermine democracies and civil liberties.
  • Top Democrats in Congress have written the Director of the Federal Bureau of Investigation (FBI) requesting “a defensive counterintelligence briefing to all Members of the House of Representatives and the Senate regarding foreign efforts to interfere in the 2020 U.S. presidential election.” Speaker of the House Nancy Pelosi (D-CA), Senate Minority Leader Chuck Schumer (D-NY), House Intelligence Committee Chair Adam Schiff (D-CA), and Senate Intelligence Committee Ranking Member Mark Warner (D-VA) sent a letter to FBI Director Christopher Wray in which they claimed “that Congress appears to be the target of a concerted foreign interference campaign, which seeks to launder and amplify disinformation in order to influence congressional activity, public debate, and the presidential election in November.”
  • District of Columbia Attorney General Karl Racine (D) has inserted himself into the struggle raging over the Trump Administration’s remaking of the United States (US) Agency for Global Media (USAGM), in part, by installing Michael Pack as the head of USAGM. He filed suit “to resolve a dispute between two dueling Boards of Directors that has paralyzed the Open Technology Fund (OTF), a District nonprofit…which supports encryption and anti-censorship tools for people living in repressive societies…an independent nonprofit corporation organized and created under District law that receives grant funding from the USAGM” per his press release. Racine claimed:
    • The USAGM CEO does not have authority over OTF’s Board or officers: OTF is an independent D.C. nonprofit corporation, which governs itself under local law and under its own bylaws. While USAGM provides grant funding for OTF’s work, it does not have authority over OTF’s governance. OAG asserts that OTF’s bylaws are clear and that only the organization’s Board of Directors—not USAGM, its leadership, or any other body—has the authority to appoint or remove OTF directors.
    • Dueling Boards have paralyzed OTF: Two Boards are currently claiming authority over OTF, and without clarity as to which Board is properly in place, the organization is effectively leaderless. It is also unable to authorize decisions necessary for carrying out its functions, including decisions to authorize funding partner organizations have already been promised, and decisions related to potential new partnership. The leadership crisis has also left employees of the organization at risk of losing their jobs.
    • The original Board of Directors is the valid Board: OAG asserts that because Pack did not have authority under either District law or OTF’s bylaws to dismiss OTF’s Board of Directors, the Court should recognize OTF’s original Board as valid.
    • Any actions taken on behalf of OTF by Michael Pack or his replacement Board should be voided: Michael Pack did not have authority as USAGM CEO to dismiss or appoint Directors on behalf of OTF. As a result, any actions Pack or the replacement Board have taken on behalf of OTF should be invalidated.
  • The Department of Commerce’s (DOC) Bureau of Industry and Security (BIS) has announced further action against entities from the People’s Republic of China (PRC) by adding “to the Entity List 11 Chinese companies implicated in human rights violations and abuses in the implementation of the PRC’s campaign of repression, mass arbitrary detention, forced labor, involuntary collection of biometric data, and genetic analyses targeted at Muslim minority groups from the Xinjiang Uyghur Autonomous Region (XUAR)” according to the agency’s press release. DOC claimed “[t]oday’s action will result in these companies facing new restrictions on access to U.S.-origin items, including commodities and technology…[and] will supplement BIS’s two tranches of Entity List designations in October 2019 and June 2020, actions that together added 37 parties engaged in or enabling PRC’s repression in Xinjiang.”

Further Reading

  • Google Promises Privacy With Virus App but Can Still Collect Location Data” – The New York Times. Google’s version of the contact racing app developed with Apple has a feature the other company does not: it prompts users to turn on the Android device’s location setting. This feature would seem to be contrary to the claims made by Google and Apple that their Bluetooth tracing system does not collect sensitive location data. In fact, the companies refused to request of the governments of the United Kingdom and France, among others, to change settings on their smartphones to allow for centralized information collection on possible COVID-19 transmission. A number of European nations have pressed Google to remove this feature, and a Google spokesperson claimed the Android Bluetooth tracing capability did not use location services, begging the question why the prompt appears.
  • Inside the Federal Trade Commission’s Facebook probe” – Axios. The anonymous sources inside the Federal Trade Commission (FTC) cautioning that the agency will not likely pursue an anti-trust action against Facebook before next year may be part of an inner-agency quarrel slowing down the inquiry. Allegedly, the FTC’s Bureau of Competition and its Office of Policy Planning are at odds over the drafting of guidance that will govern the Facebook and other anti-trust investigations. The latter wants to keep the current standards of harm to consumers in terms of price changes, which the former thinks are inapplicable in the provision of free services. How this struggle plays out may well inform the agency’s approach to Facebook and other tech companies.
  • Beware the ‘But China’ Excuses” – The New York Times. This article cautions people from putting too much stock in the claims by the Trump Administration and technology companies that the People’s Republic of China (PRC) is the seeming threat they say it is. If the PRC is such a threat, the United States might consider investing more in basic research and development (R&D) and in some critical tech sectors to develop and build their products in the US. Also the notion advanced by some tech sector CEOs that breaking up the tech giants will ultimately benefit PRC competitors is scrutinized.
  • DHS Authorizes Domestic Surveillance to Protect Statues and Monuments” – Lawfare. One of my law school professors and a colleague examine a Department of Homeland Security’s (DHS) Office of Intelligence & Analysis (I&A) that authorizes intelligence and information collection on those who present threats to monuments, memorials, and statues that seems like a Trojan Horse by which DHS could surveil and mobilize protestors in the streets of American cities. The surveillance cannot be electronic surveillance, but then DHS could ask a sister agency to conduct such activity if needed.
  • Two more cyber-attacks hit Israel’s water system” – ZDNet. It appears Iran has responded to Israel’s cyber attacks that led to a number of problems at facilities in Tehran. This is the latest in an ongoing battle between the two Middle Eastern enemies that may escalate further.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Senate Armed Services Marks Up FY 2021 NDAA

Per usual, the NDAA contains a number of technology related provisions, including a some of the CSC’s recommendations. The People’s Republic of China and the Russian Federation continue to receive attention.

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

This week, legislative work began on the FY 2021 National Defense Authorization Act (NDAA). The Senate Armed Services Committee conducted markups at the subcommittee and committee level, almost of which were in closed settings, and announced a finished bill that has not yet been made available per committee tradition. However, as in years past, a summary of the NDAA has been released that provides a high level overview of the bill, including its cybersecurity and technology related provisions. Bill text will not likely be released before the bill comes to the Senate floor.

Most notably, a number of the Cyberspace Solarium Commission’s (CSC) recommendations were apparently included in the bill, an outcome the four CSC Members who also serve in Congress were working towards; Senators Ben Sasse (R-NE) and Angus King (I-ME) served on the CSC and are also on the Senate Armed Services Committee.

The CSC’s highest profile recommendation was not entirely accepted, however. The CSC had called for a National Cyber Director its final report that would be “be the President’s principal advisor for cybersecurity-related issues, as well as lead national-level coordination of cybersecurity strategy and policy, both within government and with the private sector.” However, the FY 2021 NDAA merely uses an old strategy on possibly controversial changes: a study would be conducted on a National Cyber Director. Nevertheless, the CSC’s mandate would be extended another 16 months if this legislation is enacted, giving the body more time to work to see this and other recommendations possibly come to fruition.

All of the recommendations in the FY 2021 NDAA are those within the jurisdiction of the Armed Services Committees, suggesting the non-defense cybersecurity recommendations will need to be enacted by the various committees of jurisdiction. Ironically, this is the very issue the CSC addressed in its recommendation that Congress establish “House Permanent Select and Senate Select Committees on Cybersecurity.” However, it is a rare occurrence for Congress to redraw committee jurisdictions in such a significant way, and the Homeland Security Committees were created after the attacks on the United States on 11 September 2001. And yet, it is not uncommon for legislation that pertains mostly to civilian agencies and affairs to get added to the NDAA. For example, the “Federal Information Technology Acquisition Reform” (FITARA) (P.L. 113-291) was enacted as part of the FY 2013 NDAA.

The Committee explained that the NDAA includes 11 of the CSC’s recommendations:

  • A review of National Guard response to cyberattacks,
  • Adding a force structure assessment in the quadrennial cyber posture review,
  • A report on enabling Cyber Command authorities, direction, and control of Cyber Operations Forces-related budgets, ensuring flexibility and agility to control acquisition,
  • An evaluation of cyber reserve force options, which could provide capable surge capability and enable DOD to draw on cyber talent in the department sector,
  • Improving cyber resiliency of nuclear command and control systems,
  • A modification to fortify the Strategic Cybersecurity program and further cyber vulnerability assessment of weapons systems,
  • A Defense Industrial Base threat intelligence sharing program to support companies’ ability to defend themselves,
  • An assessment of the risk posed by quantum computing to national security systems,
  • An extension of the Cyberspace Solarium Commission for tracking and facilitating the implementation of its recommendations for 16 months,
  • An independent assessment on the feasibility and advisability of establishing a National Cyber Director.

The House Armed Services Committee will begin marking up its FY 2021 NDAA later this month with a full committee markup scheduled for 1 July. It is very likely CSC recommendations make it into this bill, and so it will be a matter of final negotiations to determine which recommendations are part of the bill, which is seen as must-pass on Capitol Hill. Moreover, CSC recommendations could get folded into appropriations bills for FY 2021, which is often one of the last matters Congress addresses before recessing for the winter holidays.

The Committee highlighted other cybersecurity and cyberspace provisions:

  • Updates the responsibilities of the Principal Cyber Advisor, a key driver of the Department’s development and implementation of its 2018 cyber strategy, by increasing the integration and coordination responsibilities of that office to ensure that DOD’s cyber policies are coherent, cohesive, and meet needs,
  • Improves transparency and requires DOD to provide more regular updates on cyber operations to Congress,
  • Requires pilot programs, demonstrations, and/or plans for: speed-based cybersecurity capability metrics to measure DOD performance and effectiveness; interoperability and automated orchestration of cybersecurity systems (increased by $10 million above the President’s request); addressing network timing and address inconsistencies; and integration of user activity monitoring and cybersecurity systems,
  • Requires an assessment of gaps between Cyber Mission Forces and Cybersecurity Service Providers,
  • Authorizes increased funding ($25 million for Air Force Operation and Maintenance and $5 million for Army Operation and Maintenance) to provide Cyber Mission Forces with more resources to access, operate, and train as required by increased operational demands,
  • Improves cyber readiness and “man, train, and equip” by:
    • Authorizing a pilot program to prepare the National Guard for providing cyber assistance remotely in the case of cyber attacks,
    • Prohibiting the Secretary of Defense from taking any action on the National Defense University’s College of Information and Cyber Space until completing an assessment of educational requirements for military and civilian leaders in this domain,
    • Modifying authority to use Operation and Maintenance funds to allow for rapid creation, testing, and fielding of cyber capabilities to respond more quickly to threats, and
    • Improving the training and retention of highly qualified cyber personnel, including providing Cyber Command with the same hiring authority for technical talent as exists at DARPA, the Strategic Capabilities Office, and the Joint Artificial Intelligence Center, and by allowing for pay that is more competitive with commercial industry.

Again, the Committee addressed the threats posed by the DOD having a significant part of its supply chain rooted in the People’s Republic of China (PRC) and the challenges posed by the nation to US military and national security:

  • The FY21 NDAA takes numerous steps to reshape the Defense Industrial Base as a National Security Innovation Base, expanding its industrial capacity, promoting agility and resiliency, and identifying and mitigating risks associated with reliance on foreign adversaries, while investing in relationships with allies and partners. The shift to a National Security Innovation Base requires acknowledging that a whole-of-government approach is needed, and this bill encourages DOD to study broad factors that shape the industrial base and engage with outside stakeholders and interests. Recognizing that procurement restrictions are very powerful, the bill also ensures DOD is exploring all pathways to expand domestic capacity, including increased research and development. Lastly, the legislation safeguards proprietary technology, intellectual property, and other defense-sensitive data from being infiltrated by the government of China.
  • Further implements recommendations from DOD’s report proceeding from Executive Order 13806 on assessing and strengthening the manufacturing and defense industrial base and supply chain resiliency of the U.S., and updates the framework for modernizing acquisition processes to ensure the integrity of the Defense Industrial Base,
  • Requires analyses of a variety of materials and technology sectors, such as microelectronics, rare earth minerals, medical devices, personal protective equipment and pharmaceutical ingredients, to determine actions to take to address sourcing and industrial capacity,
  • Directs additional steps for certain items, such as microelectronics, printed circuit boards, critical raw materials, and unmanned aircraft systems to mitigate risk of relying on foreign sources for products, materials, components, and manufacturing,
  • Strengthens the National Technology and Industrial Base (NTIB) by creating a Regulatory Council and directing DOD to establish a process for admitting new members,
  • Requires assessment of foreign industrial base capabilities and capacity to see how these drive risk to the U.S. from overreliance on China and their economic aggression,
  • Continues to expand the role of small business, extending the authorization of a pilot program to streamline contracting and auditing processes for innovative technology programs and ensuring DOD pays small business contractors quickly,
  • Directs steps to safeguard defense-sensitive U.S. intellectual property and technology from acquisition by China and with post-employment restricts pertaining to China.

The Committee highlighted provisions aimed at the PRC and Russia:

  • Extends the limitation on providing sensitive missile defense information to Russia and on the integration of U.S. missile defense systems into those of China and Russia,
  • Requires the Secretary of Defense to submit a report on the risk to DOD personnel, equipment, and operations due to Huawei 5G architecture in host countries and possible steps for mitigation,
  • Requires the Secretary of Defense to consider 5G and 6G security risks posed by vendors like Huawei and ZTE when making overseas basing decisions,
  • Protects the defense industrial base and supply chain, as well as intellectual property and technology, from disruption, infiltration, or theft by the Government of China (see “Innovation Base”),
  • Fully funds the European Deterrence Initiative and increases funding to support rotational forces in Europe,
  • Requires a report on Russian support to racially and ethnically motivated violent extremist groups and networks in Europe and the United States that creates or causes growing national security threats, information warfare, and increasing risks to societal stability and democratic institutions,
  • Extends restrictions on military-to-military cooperation with Russia and any activities that would recognize Russian sovereignty over Crimea,
  • Expresses a sense of the Senate that long-term strategic competition with Russia is a top defense priority that requires sustained investment and enhanced deterrence due to the level of threat posed,

The Committee added

As our strategic competitors develop more and more advanced weapons, equipment, and technology, it’s critical that the United States keep pace through deliberate, knowledge-based development. The FY21 NDAA directs investments and implements policies that will maintain or expand our comparative advantage over China and Russia for key capabilities and technologies. One strategy for accelerating innovation will be through a tailored approach of both subsystem prototypes, including for unmanned surface vessels, and full-scale prototypes, including for hypersonic weapons, based on a detailed understanding of what is necessary to achieve technical and technological maturity.

The bill also

  • Supports the development of fifth-generation (5G) wireless networks by establishing a cross- functional team for 5G wireless networks and designates the DOD Chief Information Officer to lead the team and serve as the senior designated official for related policy, oversight, guidance, and coordination at DOD,
  • Strengthens Science and Technology efforts in emerging technologies, including by requiring: an assessment of U.S. efforts to develop biotechnologies compared to our adversaries; development of Artificial Intelligence use-cases for reform efforts; enhancements to the Quantum Information Science research and development program; and a demonstration of innovative 5G commercial technologies, Encourages DOD to leverage commercially available technology where appropriate, particularly for artificial intelligence,
  • Includes several provisions designed to recruit and retain talent with technology expertise, including requiring a study comparing methods for recruiting and retaining technology researchers used by both the U.S. and Chinese governments and authorizing a pilot program to permit university students and faculty to take on part-time and term employment at DOD labs to work on critical technologies and research activities,

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Trump Administration Claims PRC Is Targeting COVID-19 Research Organizations

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

This week, the Trump Administration highlighted hacking by the People’s Republic of China (PRC) that targets entities researching COVID-19. This announcement is the latest in a string of public attributions made by the Trump Administration as part of its larger cybersecurity strategy. For example, the Administration identified “three malware variants—COPPERHEDGE, TAINTEDSCRIBE, and PEBBLEDASH—used by the North Korean government.” Nonetheless, this particular attribution also happens to dovetail, coincidentally or not, with the Trump Administration and Republican Party’s push to throw the focus on the PRC’s actions or inactions at the beginning of the COVID-19 pandemic in Wuhan, PRC.

In an unclassified public service announcement, the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) stated they “are issuing this announcement to raise awareness of the threat to COVID-19-related research.” The agencies said “[t]he FBI is investigating the targeting and compromise of U.S. organizations conducting COVID-19-related research by PRC-affiliated cyber actors and non-traditional collectors.” The FBI and CISA claimed that “[t]hese actors have been observed attempting to identify and illicitly obtain valuable

The Administration names the PRC as the nation trying to hack into COVID-19 research facilities.  

intellectual property (IP) and public health data related to vaccines, treatments, and testing from networks and personnel affiliated with COVID-19-related research.” The agencies asserted “[t]he potential theft of this information jeopardizes the delivery of secure, effective, and efficient treatment options.” The FBI and CISA “urge all organizations conducting research in these areas to maintain dedicated cybersecurity and insider threat practices to prevent surreptitious review or theft of COVID-19-related material” and made the following recommendations:

  • Assume that press attention affiliating your organization with COVID-19 related research will lead to increased interest and cyber activity.
  • Patch all systems for critical vulnerabilities, prioritizing timely patching for known vulnerabilities of internet-connected servers and software processing internet data.
  • Actively scan web applications for unauthorized access, modification, or anomalous activities.
  • Improve credential requirements and require multi-factor authentication.
  • Identify and suspend access of users exhibiting unusual activity.

CISA Director Christopher Krebs contended “China’s long history of bad behavior in cyberspace is well documented, so it shouldn’t surprise anyone they are going after the critical organizations involved in the nation’s response to the Covid-19 pandemic.” He stressed CISA “defend our interests aggressively.”

And, to no great surprise, the PRC denied the U.S.’s claims. A spokesperson for the PRC’s Foreign Ministry said:

We firmly oppose and fight all kinds of cyber-attacks conducted by hackers. We are leading the world in COVID-19 treatment and vaccine research. It is immoral to target China with rumors and slanders in the absence of any evidence.

Moreover, the PRC is not the only nation of being accused of trying to hack COVID-19 researchers. Iran has been accused of trying to get into a pharmaceutical company, Gilead’s systems to access any information on its efforts to develop a vaccine. An Iranian spokesperson was quoted as claiming “[t]he Iranian government does not engage in cyber warfare…[and] [c]yber activities Iran engages in are purely defensive and to protect against further attacks on Iranian infrastructure.”

Last week, CISA and the United Kingdom’s Government Communications Headquarters’ (GCHQ) National Cyber Security Centre (NCSC) issued a joint advisory for the healthcare sector, especially companies and entities engaged in fighting COVID-19. The agencies stated that they have evidence that Advanced Persistent Threat (APT) groups “are exploiting the COVID-19 pandemic as part of their cyber operations.” NCSC and CISA “highlight[] ongoing activity by APT groups against organisations involved in both national and international COVID-19 responses…[and] describe[] some of the methods these actors are using to target organisations and provides mitigation advice.” The entities being targeted include healthcare bodies, pharmaceutical companies, academia, medical research organisations, and local government. However, the agencies do not identify the APT groups or their countries of origin in the advisory. 

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Executive Order on Securing the United States Bulk-Power System

A new EO will result in the systems and equipment from certain nations, most likely including China, being barred from the U.S. electric grid on account of the risk they pose to national security.  

Late last week, President Donald Trump signed an executive order (EO) that would direct the Secretary of Energy and other officials to take steps to ensure the United States’ bulk power sector is protected from the threats posed by the manufacture of components by foreign adversaries, most likely the People’s Republic of China (PRC). This EO is of a piece with two Administration priorities: desired changes in trade policies with the PRC and defending the United States from vulnerabilities arising from an information and communications technology (ICT) supply chain that largely originates in the PRC. Trump declared a national emergency with respect to the bulk power system, triggering a range of powers to address this situation. The EO would establish a blanket ban on bulk power utilities from buying systems and equipment from yet to be named foreign adversaries except if allowed by the Department of Energy along with required mitigations.

Even though the EO and related materials released by the Trump Administration do not spell out the predicate for this action, the likely policy background was informed by broader concerns about possibly compromised ICT coming from the PRC and possibly more specific information about such equipment, hardware, software, and systems.The EO is also of a piece with the Trump Administration’s aggressive policy initiatives to protect the U.S. and rebuff alleged Chinese efforts to lace U.S. supply chains and critical systems with compromised technology that could later be used for espionage or cyber-attack.

Over the last few years, the Trump Administration reported of intrusions and penetrations of the U.S. electric system by hackers sponsored by or related to the Russian government. In 2018, the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) released an advisory in which they “characterize[d] this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks.” DHS and the FBI stated, “[a]fter obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).” At about the same time, the Department of the Treasury announced sanctions against five Russian entities and 19 Russian nationals for “Russia’s continuing destabilizing activities” including “U.S. government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors” as detailed in “the recent technical alert issued by the Department of Homeland Security and Federal Bureau of Investigation.”

The year before, DHS and the FBI advised critical infrastructure operators of a penetration of a nuclear energy operator in Kansas and others throughout the U.S. The agencies jointly claimed, “[t]here is no indication of a threat to public safety, as any potential impact appears to be limited to administrative and business networks.”

And yet, these forays could easily be precursors to the sorts of attacks Russia has waged against its neighbors. For example, in 2015, Russian hackers were identified as the culprits who compromised part of Ukraine’s electric grid, but it appears access was gained and havoc was wreaked through the acquisition of employees’ credentials and not likely through exploitation of weaknesses or backdoors in the utility’s systems. In the Director of National Intelligence’s public 2019 Worldwide Threat Assessment, it was claimed

Russia has the ability to execute cyber attacks in the United States that generate localized, temporary disruptive effects on critical infrastructure—such as disrupting an electrical distribution network for at least a few hours—similar to those demonstrated in Ukraine in 2015 and 2016.Moscow is mapping our critical infrastructure with the long-term goal of being able to cause substantial damage.

Moreover, risks to the energy sector have long been recognized. In a 2017 report prepared by the Idaho National Laboratory, “ICS   attacks   are   becoming   increasingly   more   targeted   and   sophisticated, with trusted communications  networks,  remote  access,  mobile  devices,  vendors,  and  supply  chains  are  the most likely routes of ingress.” In 2014, a U.S. think tank claimed

Vulnerabilities arise when utilities procure hardware and software from third-party vendors, including hardware or software that is intended to support smart grid and cybersecurity initiatives. New products and software may not be sufficiently secure in their design or implementation; they may be subject to malicious manipulation or be compromised by the use of counterfeit parts. Suppliers may not face market pressures or requirements to incorporate cybersecurity features in the design of their systems and devices. In some cases, products sold to the power sector may be insecure by design or insufficiently supported as new risks are identified. These issues are further complicated by the global nature of supply chains, which offer multiple possible entry points for cyber attacks. For example, numerous SCADA (supervisory control and data acquisition) devices are manufactured overseas, including in China, where external cyber threats have originated in the past.

In the EO, Trump found “that the unrestricted acquisition or use in the United States of bulk-power system electric equipment designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries augments the ability of foreign adversaries to create and exploit vulnerabilities in bulk-power system electric equipment, with potentially catastrophic effects.” He added that “I therefore determine that the unrestricted foreign supply of bulk-power system electric equipment constitutes an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States, which has its source in whole or in substantial part outside the United States.” Trump wrote, “[t]o address this threat, additional steps are required to protect the security, integrity, and reliability of bulk-power system electric equipment used in the United States.” He declared that “[i]n light of these findings, I hereby declare a national emergency with respect to the threat to the United States bulk-power system.”

The EO would bar the purchase of “any bulk-power system electric equipment” from unspecified foreign nations if the transaction poses unacceptable risks to the U.S. electric grid specifically and the U.S. generally. The EO defines foreign adversary as a “foreign government or foreign non-government person engaged in a long‑term pattern or serious instances of conduct significantly adverse to the national security of the United States or its allies or the security and safety of United States persons.” Presumably countries that have well-developed offensive cyber capabilities like the PRC, Russia, Iran, and North Korea would be designated foreign adversaries.

However, the Secretary of Energy could identify and require the use of mitigation measures that could render otherwise banned equipment to be bought and used. The Department of Energy “may establish and publish criteria for recognizing particular equipment and particular vendors in the bulk-power system electric equipment market as pre-qualified for future transactions; and may apply these criteria to establish and publish a list of pre-qualified equipment and vendors.”

More broadly, the Secretary of Energy is directed to use the full authority conferred on his department by Congress and all the powers available under the International Emergency Economic Powers Act (IEEPA), the basis for Presidents to impose sanctions and other economic measures in peace time. Pursuant to the use of these powers, the Department of Energy will likely identify countries as foreign adversaries for purposes of the EO and the companies they own, control, or have a stake in. Furthermore, the Department should also identify those foreign adversaries or companies that deserve additional scrutiny and a licensing process for those transactions that would otherwise be banned under the EO but are allowed to proceed with mitigation measures.  The Department of Energy must also identify any existing bulk power system electric equipment that poses a threat to national or economic security and determine the means by which this equipment could be monitored, isolated, or replaced. The EO would also create a Task Force on Federal Energy Infrastructure Procurement Policies Related to National Security (Task Force) that “shall work to protect the Nation from national security threats through the coordination of Federal Government procurement of energy infrastructure and the sharing of risk information and risk management practices to inform such procurement.”

Finally, regarding the thrust of the EO, it bears mention that the Federal Energy Regulatory Commission (FERC) granted a petition to “defer the implementation of several Commission-approved Reliability Standards that have effective dates or phased-in implementation dates that fall in the second half of 2020,” including CIP-013-1 (Cyber Security – Supply Chain Risk Management), which was designed “to help ensure that responsible entities establish organizationally-defined processes that integrate a cybersecurity risk management framework into the system development lifecycle.” The deferral of this and related standards was on account of the COVID-19 pandemic’s effect on the energy sector. When the rule was adopted, FERC explained “Reliability Standard CIP-013-1 addresses information system planning and vendor risk management and procurement controls by requiring that responsible entities develop and implement one or more documented supply chain cybersecurity risk management plan(s) for high and medium impact Bulk Electric System (BES) Cyber Systems. The required plans must address, as applicable, a baseline set of six security concepts: (1) Vendor security event notification; (2) coordinated incident response; (3) vendor personnel termination notification; (4) product/services vulnerability disclosures; (5) verification of software integrity and authenticity; and (6) coordination of vendor remote access controls.”

This EO could serve as a template for future actions to more tightly regulate other critical sectors. It is not hard to imagine Trump or a future president deciding that the threats posed by the PRC or other adversaries justifies a heavier role in the regulation of supply chains and even cybersecurity.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Team Telecom Returns Negative Recommendation On China Telecom

Executive branch agencies veto a Chinese telecom operating in the U.S. because of “identified substantial and unacceptable national security and law enforcement risks associated with China Telecom’s operations, which render the FCC authorizations inconsistent with the public interest.”  

The “Team Telecom” agencies recommended that the Federal Communications Commission (FCC) “revoke and terminate China Telecom (Americas) Corp.’s authorizations to provide international telecommunications services to and from the United States.” This action comes a week after the White House issued an executive order, reorganizing the process by which the U.S. government will review foreign investment in the telecommunications. In this case, the executive branch agencies that form Team Telecom called on the FCC to terminate and revoke the application of a company from the People’s Republic of China (PRC) to operate in the U.S.

The Department of Commerce’s National Telecommunications and Information Administration (NTIA) “filed on behalf of the Executive Branch of the United States Government a recommendation that the FCC terminate and revoke the Section 214 international authorizations of China Telecom (Americas) Corporation (China Telecom) to provide international voice traffic between the United States and foreign countries” per the agency’s press release. The NTIA continued, “[f]or purposes of this recommendation, the Executive Branch represents agreement among the Departments of Justice (DOJ), Homeland Security (DHS), Defense (DOD), State, Commerce, and the U.S. Trade Representative (USTR).”

The DOJ’s press release provided additional details on Team Telecom’s recommendation, and the agencies “identified substantial and unacceptable national security and law enforcement risks associated with China Telecom’s operations, which render the FCC authorizations inconsistent with the public interest.” DOJ explained, “[m]ore specifically the recommendation was based on:

  • the evolving national security environment since 2007 and increased knowledge of the PRC’s role in malicious cyber activity targeting the United States;
  • concerns that China Telecom is vulnerable to exploitation, influence, and control by the PRC government;
  • inaccurate statements by China Telecom to U.S. government authorities about where China Telecom stored its U.S. records, raising questions about who has access to those records;
  • inaccurate public representations by China Telecom concerning its cybersecurity practices, which raise questions about China Telecom’s compliance with federal and state cybersecurity and privacy laws; and
  • the nature of China Telecom’s U.S. operations, which provide opportunities for PRC state-actors to engage in malicious cyber activity enabling economic espionage and disruption and misrouting of U.S. communications. 

DOJ added

Some of the foregoing relate to China Telecom’s failure to comply with a 2007 Letter of Assurance, which was a basis for the existing FCC authorizations. The Department’s National Security Division, Foreign Investment Review Section, identified those compliance issues through its mitigation monitoring program.  As a result, the Executive Branch agencies concluded that the national security and law enforcement risks associated with China Telecom’s international Section 214 authorizations could not be mitigated by additional mitigation terms. Earlier this month, President Donald Trump has issued an executive order creating an inter-agency review body to determine whether foreign investment in U.S. telecommunications companies presents national security issues. However, the executive order merely formalizes and change the longstanding “Team Telecom” process through which proposed foreign investment in the U.S. telecommunications industry have been evaluated. Like the previous body, the new body will consist of representatives from the Departments of Defense, Homeland Security, and Justice and other agencies in an advisory role.